SIP vulnerable to hacking, testing shows

Testers recently found a vulnerability in the Session Initiation Protocol (SIP), an emerging standard used for connections between devices in IP networks such as voice-over-IP phones. But several vendors and analysts say they have heard no reports of significant problems from users.

The CERT Coordination Center at Carnegie Mellon University in Pittsburgh reported the vulnerability last week, citing a discovery by the Oulu University Secure Programming Group (OUSPG) in Finland. The OUSPG found that when a certain SIP test is applied to SIP clients and proxy servers, it causes unexpected system behaviour or a denial of service.

A Cisco Systems Inc. spokesman said today that the company has heard no complaints from its customers. But Cisco posted an advisory Feb. 21 saying the vulnerability affects two Cisco IP phones, the 7940 and 7960, among several other products. Some recommendations call for work-arounds or patches, depending on the device affected.

CERT said Nortel Networks Corp. is working on a software patch to address the vulnerability in its Succession Communications servers. That patch is due out by the end of the month.

John Pescatore, an analyst at Gartner Inc. in Stamford, Conn., said it is significant that the vulnerability doesn’t affect two major instant messaging protocols from Microsoft Corp. and America Online Inc. and that it seems to apply mainly to telephone clients. CERT has listed more than 80 vendors that make SIP-dependent products along with whether those products are affected. The group was still making updates to the list today.

David Fraley, also an analyst at Gartner, predicted in December that SIP would prove to have vulnerabilities that could invite security breaches. When he learned of the CERT warning this week, he said the vulnerability test is a welcome event that will help make SIP more rigorous.

“SIP is a very young protocol, and the way to get it mature is to have this kind of rigorous testing to occur,” Fraley said. “I would much rather Oulu find this than some hacker group.”

He urged companies and other users to take the time to research whether their products are vulnerable and to apply the needed patches or work-arounds.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now